From 657875b145c788d29b8e3bf38f79264e657932ae Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michaelni@gmx.at>
Date: Wed, 22 May 2013 21:29:45 +0200
Subject: avcodec/aic: Fix vlc value checks

Fixes out of array accesses

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
---
 libavcodec/aic.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

(limited to 'libavcodec/aic.c')

diff --git a/libavcodec/aic.c b/libavcodec/aic.c
index bf8a0e4..5a7d6c7 100644
--- a/libavcodec/aic.c
+++ b/libavcodec/aic.c
@@ -201,7 +201,8 @@ static int aic_decode_coeffs(GetBitContext *gb, int16_t *dst,
     int has_skips, coeff_type, coeff_bits, skip_type, skip_bits;
     const int num_coeffs = aic_num_band_coeffs[band];
     const uint8_t *scan = aic_scan[band];
-    int mb, idx, val;
+    int mb, idx;
+    unsigned val;
 
     has_skips  = get_bits1(gb);
     coeff_type = get_bits1(gb);
@@ -215,6 +216,8 @@ static int aic_decode_coeffs(GetBitContext *gb, int16_t *dst,
             idx = -1;
             do {
                 GET_CODE(val, skip_type, skip_bits);
+                if (val >= 0x10000)
+                    return AVERROR_INVALIDDATA;
                 idx += val + 1;
                 if (idx >= num_coeffs)
                     break;
-- 
cgit v1.1